CVE-2024-40634

moderate-risk

Published 2024-07-22

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments. This vulnerability is fixed in 2.11.6, 2.10.15, and 2.9.20.

Do I need to act?

2.6% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (1)

Argo Cd

Affected Vendors

Argoproj

References (8)

Patch https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0...

Patch https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38...

Patch https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625a...

Exploit https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3w

Patch https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0...

Patch https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38...

Patch https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625a...

Exploit https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3w

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 6/34 · Minimal

Exposure 5/34 · Minimal